The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was recently signed into law as part of the omnibus appropriations bill.
Generally, the CLOUD Act updates U.S. data privacy and government surveillance laws, enacted in 1986, to better reflect current technology and practices – particularly concerning cloud computing, which involves remote data storage, often on overseas servers. The CLOUD Act requires U.S. electronic communications and remote computing service providers that are served with court orders, warrants or subpoenas under the Stored Communications Act (SCA) to turn over data in the provider’s possession, custody or control – no matter where the data is stored (although providers have the ability to petition to modify or quash such orders under certain conditions).
In light of the CLOUD Act’s passage, the U.S. Supreme Court ruled on April 17 that United States v. Microsoft – a highly publicized case addressing the government’s ability to access data stored abroad pursuant to warrants under the SCA served on U.S. providers – had become moot. The company was seeking to prevent U.S. law enforcement officials from exercising a warrant to access a user’s data as part of a drug trafficking investigation, since the data was stored on a server in Ireland. The actual residency or citizenship of the data user was unknown to Microsoft at the time it received the subpoena. The U.S. Court of Appeals for the Second Circuit had previously held that the SCA lacked exterritorial reach, leading the government to appeal the decision to the Supreme Court.
Section 105 of the CLOUD Act also creates a framework to allow the U.S. government to enter into so-called executive agreements with other countries that would permit U.S. providers to respond to those other countries’ requests for data. Executive agreements are subject to the approval of both the attorney general and the secretary of state, and can be rejected by Congress.
The CLOUD Act also formalizes the process for providers to modify or quash a law enforcement request in cases where data is stored in a country with which the U.S. has an executive agreement. Generally, where an executive agreement exists, a provider has 14 days to challenge an SCA warrant, which it may do on the grounds that it “reasonably believes” the affected “customer or subscriber is not a U.S. person and does not reside in the U.S.” and that the disclosure of the data would “create a material risk that the provider would violate the laws” of the foreign country. A court can approve such a challenge if it determines that disclosure would violate the laws of the foreign government; that modifying or quashing the legal process is in “the interests of justice”; and that “the customer or subscriber is not a U.S. person and does not reside in the U.S.” In instances where no executive agreement exists, a warrant can be challenged through a common-law comity analysis, looking at a variety of factors, including the significance of the requested information; the particularity of the request; and the interests of the affected foreign government, the entity seeking the disclosure and the U.S. itself.
Finally, in response to privacy and civil liberty concerns, the CLOUD Act contains certain limits and restrictions on data requests, such as allowing the U.S. government to enter into executive agreements only with countries that exhibit “robust substantive and procedural protections for privacy and civil liberties” and that will “minimize the acquisition, retention, and dissemination of information concerning United States persons.”